Questions about STOP ransomware

STOP ransomware is a data-locker that first made its appearance in December 2017. The malware uses a combination of AES and RSA algorithms to encrypt data and add .STOP file extension. However, new versions have been emerging almost every month and at the moment the virus is appending the following extensions: .SAVEfiles, .puma, .pumas, .pumax, .shadow, and .keypass. It is also worth mentioning that one of the most notorious variants is Keypass ransomware and Djvu ransomware that made headlines[1] when they targeted victims from over 20 countries. At the moment, Djvu ransomware is the most active version of STOP ransomware that has been demanding a ransom of $300 – $600 for data decryptor. The malware is using _openme.txt, !readme.txt or similar ransom notes, and urging users to contact crooks via restoredjvu@firemail.cc, stopfilesrestore@bitmessage.ch, helpshadow@india.com or similar email addresses.

To get rid of the ransomware, install Reimage and run a full system scan

STOP ransomware was initially discovered in December 2017. However, new variants appeared in August 2018 and some previous months. All of them behave similarly but appends new file extensions to the targeted data, provides slightly different ransom notes and use new contact email addresses.

The original version of malware[2] adds .STOP file extension to make files inaccessible on the affected Windows computer. As soon as STOP ransomware finishes the encryption procedure, the virus delivers a ransom note in “!!! YourDataRestore !!! txt” file. The message of the crooks tells that victims have to pay the ransom in 72 hours.

Authors of STOP virus demand to pay $600 in three days time. In order to give proof, hackers allow sending 1-3 “not very big” files for free test decryption to stopfilesrestore@bitmessage.ch or stopfilesrestore@india.com. However, these might be the only files you manage to get after the ransomware attack. Once you pay the ransom, crooks might disappear because they get what they wanted from you.

However, we want to stress out that paying the demanded price to the cybercriminals is a very risky task which may lead to a huge money loss. Once you pay those $600, you might be asked to pay for more. If you disagree or be left without promised decryption option, no one will help you to trace the criminals and get your money. So better avoid any contact with the crooks and check out the official STOP virus decryptor that you can find below this article.

STOP ransomware is spreading around with four different extensions: .STOP, .SUSPENDED, .CONTACTUS, .DATASTOP.

Therefore, we highly recommend forgetting about data recovery at the moment. The most important task is to remove STOP ransomware from the computer in order to make the system safe. For this reason, we suggest scanning the affected machine with anti-malware software like Reimage to remove STOP ransomware virus.

It's crucial to use professional security tools because this cyber threat might alter Windows Registry,[3] create new keys, install malicious files or affect legitimate system processes. It means that manual termination is nearly impossible. If you try to located and delete these entries yourself, you might cause damage to your machine. Hence, do not risk!

Once you take care of STOP ransomware removal, you can safely plug in external storage drive with backups or export needed files from cloud storage. If you haven't backed up your files yet and cannot perform full data recovery, you should try third-party tools that we mentioned at the end of the article. Hopefully, some of the files will be rescued. Furthermore, experts recently released an original decryptor for this ransomware that can recover some data and we have provided it below the article.

New variants of ransomware have been appearing almost every month in 2018

Suspended ransomware

At the beginning of the year, in February, malware researchers reported about STOP malware variant that uses .SUSPENDED file extension to lock documents, multimedia, databases, archives, and many other files. The behavior of ransomware is similar to the previous version, but it downloads a different ransom note after file encryption.

Suspended ransomware provides recovery instructions in ”!!RestoreProcess!!!.txt file and asks to send unique victim's ID and preferred sample files for the decryption to suspendedfiles@bitmessage.ch or suspendedfiles@india.com email addresses. The size of the ransom and deadline remain the same.

STOP ransomware came back with another version - Suspended ransomware.

CONTACTUS ransomware

At the end of May, another variant of STOP ransomware virus hit the surface. This version is using .CONTACTUS file extension to lock targeted files. Not only the appended suffix was changed. Crooks also renamed data recovery instructions, and now the document where all recovery options are provided is called !!!RESTORE_FILES!!!.txt. The contact email addresses were changed to decryption@bitmessage.ch and decryption@india.com:

All your important files were encrypted on this PC.All files with .CONTACTUS extension are encrypted.Encryption was produced using unique private key RSA-1024 generated for this computer.

To retrieve the private key and decrypt software, you need to CONTACTUS us by email decryption@bitmessage.ch send us an email your !!!RESTORE_FILES!!!.txt file and wait for further instructions.

For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.Price for decryption $600 if you contact us first 72 hours.

Your personal id:[redacted 40 characters]

E-mail address to contact us:decryption@bitmessage.ch

Reserve e-mail address to contact us:decryption@india.com

SaveFiles ransomware

Another STOP ransomware version emerged in September 2018. After using urpress.exe file as the main executable, this ransomware encrypts your data and marks locked files with .SAVEfiles appendix. Like other versions, this threat does this with the help of AES and RSA encryption methods. After the file modification, ransomware places a ransom note called !!!SAVE_FILES_INFO!!!.txt on every file that contains encrypted data.

The ransom note contains the following text:

WARNING!

Your files, photos, documents, databases and other important files are encrypted and have the extension: .SAVEfilesThe only method of recovering files is to purchase an decrypt software and unique private key.

After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.Only we can give you this key and only we can recover your files.

You need to contact us by e-mail BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch send us your personal ID and wait for further instructions.

For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.

Price for decryption $500. This price avaliable if you contact us first 72 hours.

As you can see, virus developers claim they have the tool for file recovery and decryption and encourage people to contact them via savefiles@india.com email. You shouldn't do that because criminals are not worthy of your trust. Better follow a provided guide to remove STOP ransomware. For that, you can use programs like Reimage or MalwarebytesMalwarebytesCombo Cleaner. Perform a full system scan to clean your system further. Then, try data recovery tools or programs and restore your files.

Puma ransomware

Puma ransomware is a decryptable virus. If you got infected, you can call yourself luckier than other victims because you have a chance to recover your encrypted files. However, only data having the .puma, .pumas, and .pumax appendixes can be unclocked by using a special decrypter (direct link provided) from virus experts. However, make sure you try this decrypter only after you remove malware from the system at first. Otherwise, the encryption procedure can be launched once again.

When inside the system, the virus drops !readme.txt ransom note to inform its victim about the current situation. Before that, malware launches the encryption procedure (for that it uses AES and RSA algorithm) to make all files installed on the system useless. The victim is given 72 hours to contact hackers. However, you should never do that to prevent further problems on your computer.

Tech experts have recently released an original STOP virus decryption key.

Shadow ransomware

At the beginning of December 2018, researchers discovered a variant that appends .shadow extension to the infected files. This file extension was firstly used by BTCWare ransomware virus back in 2017 and now seems like STOP malware authors adopted it as well.

Shadow ransomware virus is using a ransom note !readme.txt that explains how to proceed with the payment in Bitcoin. Crooks offer to decrypt one file for free, to prove that the decryptor is actually working. The contact emails helpshadow@india.com or helpshadow@firemail.cc should help with the communication. Allegedly, the 50% discount on the ransom price is valid within the first 72 hours of the infection.

As usual, we recommend avoiding any contact with threat actors. While this .shadow file virus is not decryptable at the time of the writing, you should wait till a free decryptor is released, just as it happened with Puma ransomware.

Djvu ransomware

The latest virus version is Djvu ransomware which has been appending several extensions: .djvu, .djvus, .djvuu, .udjvu, .uudjvu, .djvuq, .djvur. The virus has already affected thousands of users worldwide by using the most popular scheme used by ransomware to sneak into the target system – spam. Victims typically receive an email which is offering to know more about more about their parcel, invoice, report or delivery. However, downloading the attachment means letting the virus into the system.

Djvu ransomware is not decryptable, so the only way to recover encrypted data is to remove the virus first and then try third-party tools. Of course, if you have been backing your files before they got encrypted, you should find no worries. Just remove encrypted files from the system and install the good ones.

Crypto-virus might get into the system as soon as you open a malicious spam email

The executable of a file-encrypting virus typically spreads via malicious spam emails[4] that include attachments. With the help of social engineering, criminals trick victims into opening obfuscated attachment and letting malware into the system. You can spot a dangerous email from these signs:

You did not expect to get this email (e.g., you haven't ordered anything from Amazon, and you do not expect a FedEx courier to bring any parcel).

The letter lacks of credentials, such as company logo or signature.

The email is full of mistake or weirdly structured sentences.

The letter does not have a subject line, the body is empty and it includes only an attachment.

The content of the email urges to check the information in the attachment.

Sender's email address seems suspicious.

STOP malware has been actovely spreading around with the help of spam.

However, specialists from NoVirus.uk[5] tell that malware can also sneak into the system when a user clicks on a malicious ad, downloads corrupted program or its update, and applying any other techniques.

For this reason, internet users should learn to identify potential risks that might be lurking on the web. We want to remind that any security software[6] can fully protect you from ransomware attack. For this reason, watching your clicks and downloads, as well as creating and regularly updating backups are a must!

Get rid of STOP ransomware to recover your files

First of all, we want to discourage you from removing ransomware manually. This cyber threat includes numerous files and components that might look like legitimate system processes. Therefore, you can easily delete wrong entries and cause more damage. For this reason, you have to opt for automatic STOP ransomware removal.

The virus might block access to security software which is needed for the removal, so you should disable the virus first by booting to Safe Mode with Networking. The instructions below will explain to you how it's done. It doesn't matter which version of malware affected your PC, the removal guide remains the same.

What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.

Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete STOP removal.

If your ransomware is blocking Safe Mode with Networking, try further method.